General
-
Target
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745
-
Size
301KB
-
Sample
210311-4lvz6rzrxj
-
MD5
4945a14049174b18fc91e04b65dc0dd5
-
SHA1
28086f5cc0b9f97014575dac95b9de5065977a83
-
SHA256
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
-
SHA512
10e478b6f5d6eb81713f92d8c25a4ee517bd5d37e5962bc16d7b9be652770d844ce537777ec0d023e83069f2de43195cfd08ca1992853d1f7bc6bb35ece3656f
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Targets
-
-
Target
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745
-
Size
301KB
-
MD5
4945a14049174b18fc91e04b65dc0dd5
-
SHA1
28086f5cc0b9f97014575dac95b9de5065977a83
-
SHA256
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
-
SHA512
10e478b6f5d6eb81713f92d8c25a4ee517bd5d37e5962bc16d7b9be652770d844ce537777ec0d023e83069f2de43195cfd08ca1992853d1f7bc6bb35ece3656f
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Deletes itself
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-